Welcome
Privacy & Data Security Law News

INSIGHT: Cyber−Risk Oversight Practices of Public and Private Company Boards of Directors

July 23, 2019, 8:01 AM

Which cyber−risk oversight practices have public and private company boards of directors been performing? The National Association of Corporate Directors 2018-2019 Public Company Governance Survey and 2018–2019 Private Company Governance Survey shed light on this topic, setting forth 16 cyber−risk oversight practices performed by boards of directors over the past year.

This article puts information from these surveys together and compares the Public Company Survey information to the Private Company Survey information, which can be used by public and private companies for benchmarking purposes. Such benchmarking may cause public and private companies to change their practices.

Public and private companies engaged in the same top three practices. The top practice was reviewing the current approach to securing the most critical data assets against cyberattacks, garnering over 70 percent of respondents in the Public Company Survey and over 60 percent of respondents in the Private Company Survey.

The second practice was reviewing the approach to data privacy protections and the third practice was communicating with management about types of cyber−risk information the board requires, each garnering over 60 percent of respondents in the Public Company Survey and over 50 percent of respondents in the Private Company Survey.

The bottom three practices are the same for public and private companies and there is consistency in respondent percentages for the bottom two practices. The fourteenth practice was evaluating the cybersecurity consequence of decisions (e.g., mergers and acquisitions, new product development, new market entry, etc.), garnering under 30 percent of respondents in the Public Company Survey and under 20 percent of respondents in the Private Company Survey.

The practice immediately ahead of the bottom practice was conducting a postmortem review following an actual or potential incident, garnering under 20 percent of respondents in each Survey. The bottom practice was participating in a simulation exercise or test of the cyberbreach response plan, garnering under 10 percent of respondents in each Survey.

While testing a response plan was the bottom practice, reviewing a response plan in the case of a cyberbreach was the fifth practice, garnering over 50 percent of respondents, in the Public Company Survey, and was the fourth practice, garnering close to 50 percent of respondents, in the Private Company Survey.

Questions to ask include why there is an over 40 percent difference between reviewing and testing a response plan and whether the percentages for testing a response plan will increase in 2019-2020.

There is divergence regarding the other practices. Discussing the impact of cybersecurity regulations was the eighth practice, garnering over 40 percent of respondents, in the Public Company Survey, and was the ninth practice, garnering over 30 percent of respondents, in the Private Company Survey, even though there have been notable privacy and cybersecurity law developments during 2018-2019: for example, in 2018, the European Union’s General Data Protection Regulation went into effect and the California Consumer Privacy Act was signed into law by the California governor.

Receiving briefings from internal advisers (e.g., internal auditors, chief information security officer or general counsel) was the fourth practice, garnering over 60 percent of respondents, in the Public Company Survey, and was the fifth practice, garnering over 40 percent of respondents, in the Private Company Survey.

Receiving briefings from external advisers (e.g., outside counsel, external audit firm, consultants, or government/law enforcement agencies such as the FBI) was the eleventh practice, garnering over 30 percent of respondents, in the Public Company Survey, and was the twelfth practice, garnering over 20 percent of respondents, in the Private Company Survey.

Reviewing cyber−insurance coverage was the seventh practice, garnering over 40 percent of respondents, in the Public Company Survey, and was the sixth practice, garnering over 30 percent of respondents, in the Private Company Survey. Assessing risks with employee negligence/misconduct was the tenth practice in the Public Company Survey and was the seventh practice in the Private Company Survey, and attending outside conferences or continuing−education events on cyber risk was the thirteenth practice in the Public Company Survey and was the tenth practice in the Private Company Survey, each garnering over 30 percent in each Survey.

Assessing risks associated with third-party vendors or suppliers was the ninth practice, garnering over 40 percent of respondents, in the Public Company Survey, and was the eighth practice, garnering over 30 percent of respondents, in the Private Company Survey.

The greatest divergence was in assigning clearly defined roles to standing committees of the board with regard to cyber−risk oversight, which was the sixth practice, garnering over 40 percent of respondents in the Public Company Survey, and was the eleventh practice, garnering over 30 percent of respondents in the Private Company Survey.

Finally, assigning clearly defined roles to the full board regarding cyber−risk oversight was the twelfth practice, garnering over 30 percent of respondents, in the Public Company Survey, and was the thirteenth practice, garnering over 20 percent of respondents, in the Private Company Survey.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Melissa Krasnow is a partner at VLP Law Group LLP, Minneapolis, and advises organizations and their directors and senior executives on domestic and cross-border privacy, data security, big data, artificial intelligence, governance, technology transactions and mergers and acquisitions. She is a National Association of Corporate Directors Board Leadership Fellow and an International Association of Privacy Professionals Certified Information Privacy Professional/US (CIPP/US).

To read more articles log in. To learn more about a subscription click here.